Security Advisory Moderate: java-1.4.2-ibm security update

Advisory: RHSA-2010:0408-1
Type: Security Advisory
Severity: Moderate
Issued on: 2010-05-12
Last updated on: 2010-05-12
Affected Products: Red Hat Enterprise Linux for SAP
CVEs ( CVE-2009-3555


Updated java-1.4.2-ibm packages that fix various security issues are now
available for Red Hat Enterprise Linux 4 and 5 for SAP.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The IBM 1.4.2 SR13-FP4 Java release includes the IBM Java 2 Runtime
Environment and the IBM Java 2 Software Development Kit.

This update fixes various vulnerabilities in the IBM Java 2 Runtime
Environment and the IBM Java 2 Software Development Kit. These
vulnerabilities are summarized on the IBM "Security alerts" page listed in
the References section. (CVE-2009-3555, CVE-2009-3867, CVE-2009-3869,
CVE-2009-3871, CVE-2009-3874, CVE-2009-3875)

For the CVE-2009-3555 issue, this update disables renegotiation in the
non-default IBM JSSE2 provider for the Java Secure Socket Extension (JSSE)
component. The default JSSE provider is not updated with this fix. Refer to
the IBMJSSE2 Provider Reference Guide, linked to in the References, for
instructions on how to configure the IBM Java 2 Runtime Environment to use
the JSSE2 provider by default.

When using the JSSE2 provider, unsafe renegotiation can be re-enabled using
the property. Refer to the following
Knowledgebase article for details:

Warning: Do not install these java-1.4.2-ibm packages for SAP alongside the
java-1.4.2-ibm packages from the Red Hat Enterprise Linux Extras or
Supplementary channels on the Red Hat Network. Doing so could cause your
system to fail to update cleanly, among other possible problems.

All users of java-1.4.2-ibm for Red Hat Enterprise Linux 4 and 5 for SAP
are advised to upgrade to these updated packages, which contain the IBM
1.4.2 SR13-FP4 Java release. All running instances of IBM Java must be
restarted for this update to take effect.


Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at

Updated packages

Red Hat Enterprise Linux for SAP

x86_64:     MD5: 56269b4dc53d9072c864d17b6ad5d797
SHA-256: 7d72e9778f8c48fceaea3e1971fe7be58d9e64132ffa277d30158de2e1cd016e     MD5: c458438b17dba99752658d9bff90dbd5
SHA-256: d93745e556d1ed4ac522837fbf26018638c6cf22d0882a5b2117fb05a838552a     MD5: f2405ea014b090bc53c45e0ca16e1d4d
SHA-256: c9212b5ab11a296f264d7ad950f21f16ed2cec4d9749086b6a27f3db148f1873     MD5: 618054913575f5fb200f00b35225011b
SHA-256: 19051a1b244190fb7fd52cd333651d9de0a325c958a58970c6c650ba2b06f201     MD5: 694300e0a8d940d6f6139779b10da270
SHA-256: f275b17a9bd83319845ce8b46a3506f22d17916dc40a40b6291495d23fa8bc88     MD5: be907ff01911ad80aeb8b9b79ec7ea55
SHA-256: d084652ee6770516cff2cebfa856fdabe266c314a238d0642b653f33e22e0aa6     MD5: 925e4dc35999ac4b41a70c72f0efed02
SHA-256: bce3ea6badc33c022065438b47050751e62344267e076465bc723579ae7f8ad7     MD5: c82e0b8bdc3dc31892bc618559a4bbf9
SHA-256: deaf10f4e2b6fe58958df983e292bd1fb0f6b05f2c1fd288d551aa41a3f9a03e     MD5: 8addb395d4b9f640130a3103803863bb
SHA-256: 16ce32a0d17592780a1a63e68f8158af64ffe71e0da596fd0b9742c23f0b92f3     MD5: 827207b6c17129d666191a6890fa7dfd
SHA-256: 692e151749e3233f01bbadc748331bd6df154ebb6dfcadc3f3110a79deeea9a1
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

530057 - CVE-2009-3875 OpenJDK MessageDigest.isEqual introduces timing attack vulnerabilities (6863503)
530062 - CVE-2009-3869 OpenJDK JRE AWT setDifflCM stack overflow (6872357)
530063 - CVE-2009-3871 OpenJDK JRE AWT setBytePixels heap overflow (6872358)
530067 - CVE-2009-3874 OpenJDK ImageI/O JPEG heap overflow (6874643)
533125 - CVE-2009-3555 TLS: MITM attacks via session renegotiation
533214 - CVE-2009-3867 java-1.5.0-sun, java-1.6.0-sun: Stack-based buffer overflow via a long file: URL argument (6854303)


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

The Red Hat security contact is More contact details at